Local differentially private mechanisms to measure performance demographic disparities in federated learning

ABSTRACT

Provided is a method for determining a performance gap of a model for users of different groups, comprising: obtaining, with a computer system, group membership values and data values of a user; applying, with the computer system, a first perturbation to a group membership values of the user; applying, with the computer system, a second perturbation to perturb data values of the user based on the applied first perturbation; and outputting, with the computer system, perturbed data values and perturbed group membership values of the user.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of U.S. Provisional Application 63/344,946, titled “LOCALLY DIFFERENTIALLY PRIVATE MECHANISMS TO MEASURE PERFORMANCE DEMOGRAPHIC DISPARITIES IN FEDERATED LEARNING”, filed 23 May 2022, and U.S. Provisional Application 63/346,785, titled “LOCAL DIFFERENTIALLY PRIVATE MECHANISMS TO MEASURE PERFORMANCE DEMOGRAPHIC DISPARITIES IN FEDERATED LEARNING,” filed 27 May 2022. The entire contents of each afore-mentioned patent filing is hereby incorporated by reference.

GOVERNMENT LICENSE RIGHTS

Government License Rights: This invention was made with government support under grants 1943584, 1916153, and 1956435 awarded by the National Science Foundation (NSF). The government has certain rights in the invention.

BACKGROUND

The present disclosure relates generally to federated learning in the context of machine learning.

Federated learning, in some use cases, allows many devices to collaborate in training of machine learning models. As in other forms of machine learning, there is a growing concern that models trained with federated learning may exhibit disparate performance for different demographic groups. Existing solutions to measure and ensure equal model performance across groups typically require access to information about group membership, but this access is not always available or desirable, especially under the privacy aspirations motivating some uses of federated learning.

Protecting both user group membership and the federated model's local performance is helpful for privacy, because they may be correlated, and thus learning one may reveal the other. On the other hand, from the utility perspective, the privacy-preserved data should maintain the correlation to ensure ability to perform accurate measurements of the performance disparity. None of which is to suggest that any technique suffering to some degree from these issues is disclaimed or that any other subject matter is disclaimed.

SUMMARY

The following is a non-exhaustive listing of some aspects of the present techniques. These and other aspects are described in the following disclosure.

Some aspects include measurement of performance disparities for federated models, including performance disparities between members of various groups, which may be attributable at least in part to user group membership.

Some aspects include measurement of federated model performance, such as based on user data.

Some aspects include measurement of federated model performance based on a user's group membership, including when protecting privacy of a user's group membership. Some aspects include measurement of federated model performance while protecting the privacy of at least some of the federated learning users' data, which may include group membership.

Some aspects include measurement of federated model performance based on a relationship between a user's group membership and model performance. Some aspects include measurement of federated model performance while protecting a user's group membership.

Some aspects include determination of a performance gap, including when privacy protections are in place.

Some aspects include a locally differentially private mechanism, which may preserve a correlation between group membership and model performance. In some embodiments, a locally differentially private mechanism may preserve a model output or expectation value of a model output while applying privacy to a user's group membership. In some embodiments, the mechanism is an algorithm. In some embodiments the mechanism is operable on a client's and user's device. In some embodiments, the mechanism operates based on a privacy budget. In some embodiments, the mechanism may operate on multiple privacy budgets. In some embodiments, the mechanism adds noise to a user's data or group membership. In some embodiments, the mechanism discretizes a user's data or group membership. In some embodiments, perturbed data, which may be anonymized data, is generated from user data. In some embodiments, perturbed tuples, which may be a combination of user group identification and user data, are provided to the federated learning model.

Some aspects include estimation of a group average (e.g., expectation) of perturbed values. Some aspects include estimation of a group average of perturbed values for a given group membership. Some aspects include maintenance of a group average through a perturbation, where a group average of a perturbed value may be substantially equal to a group average of the value before perturbation. In some embodiments, group averages may be preserved between data and perturbed data. In some embodiments, the amount of perturbation may depend on the number or relative number of users in a group. In some embodiments, the amount of perturbation may depend on a privacy budget. Some aspects include discretized perturbations. Some aspects include additive perturbations, including noise distribution perturbations. In some embodiments, dispersion of user values may be preserved between data and perturbed data.

Some aspects include optimizing, for a given privacy budget, the amount of perturbation applied to perturb data. Some aspects include multiple privacy budgets, including partition of a privacy budget. Some aspects include determining a measure of information that may be gained by an adversary from perturbed data.

Some aspects include estimating a model disparity. Some aspects include bounding an error in estimating a disparity, including bounding an error in the disparity itself. Some aspects include optimizing an error in estimating disparity. Some aspects include optimizing, for a given privacy budget, an error in estimating disparity.

Some aspects include a locally differentially private mechanism based on randomized response. Some aspects include a locally differentially private mechanism based on generalized randomized response. Some aspects include a locally differentially private mechanism based on a Laplace response. In some embodiments, the mechanism is applied to cross-device federated learning. In some embodiments, the mechanism is applied to cross-silo federated learning.

Some aspects include an unbiased estimator of model performance.

Some aspects include a measure of fairness.

Some aspects include allocation of a privacy budget.

Some aspects include application of a locally differentially private mechanism to an unbalanced group.

BRIEF DESCRIPTION OF THE DRAWINGS

The above-mentioned aspects and other aspects of the present techniques will be better understood when the present application is read in view of the following figures in which like numbers indicate similar or identical elements:

FIG. 1 is a graph of the mean squared error (MSE) of the performance gap of two groups of the same size, in accordance with one or more embodiments;

FIG. 2 is depicts graphs of the upper bounds of the MSEs for two groups with different size ratios, in accordance with one or more embodiments;

FIG. 3 is a graph that depicts allocations of privacy budgets which satisfy the locally differentially private (LDP) constraint, in accordance with one or more embodiments;

FIG. 4 is a graph of the empirical and theoretical MSE for a mechanism, in accordance with one or more embodiment;

FIG. 5 is a system diagram that illustrates an example distributed computing system that may be used to implement techniques described herein; and

FIG. 6 is a system diagram that illustrates an example computing system that may be used as a component of systems implementing techniques described herein, in accordance with one or more embodiments.

While the present techniques are susceptible to various modifications and alternative forms, specific embodiments thereof are shown by way of example in the drawings and will herein be described in detail. The drawings may not be to scale. It should be understood, however, that the drawings and detailed description thereto are not intended to limit the present techniques to the particular form disclosed, but to the contrary, the intention is to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the present techniques as defined by the appended claims.

DETAILED DESCRIPTION OF CERTAIN EMBODIMENTS

To mitigate the problems described herein, the inventors had to both invent solutions and, in some cases just as importantly, recognize problems overlooked (or not yet foreseen) by others in the field of machine learning. Indeed, the inventors wish to emphasize the difficulty of recognizing those problems that are nascent and will become much more apparent in the future should trends in industry continue as the inventors expect. Further, because multiple problems are addressed, it should be understood that some embodiments are problem-specific, and not all embodiments address every problem with traditional systems described herein or provide every benefit described herein. That said, improvements that solve various permutations of these problems are described below.

As in traditional machine learning models, models trained with federated learning may exhibit disparate performance across demographic groups. Model holders may identify these disparities in order to mitigate undue harm to the groups. However, measuring a model's performance in a group may require access to information about group membership which, for privacy reasons, often has limited availability. In some embodiments, locally differentially private mechanisms may be used to measure differences in performance across groups while protecting the privacy of group membership. To analyze the effectiveness of the mechanisms, the error may be bound while estimating a disparity when a given mechanism is optimized for a given privacy budget. In some embodiments, that error may rapidly decrease for realistic numbers of participating clients, demonstrating that protecting privacy is not necessarily in conflict with identifying performance disparities of federated models.

Federated learning (FL) may be used to distribute the training of machine learning models across multiple organizations and multiple devices. Even though most of the academic literature in FL has focused on deployments across multiple organizations, also known as cross-silo federated learning (SFL), there are several largescale deployments of cross-device federated learning (DFL) in the industry. Cross-device federated learning (DFL) has become a popular way to distribute the training of machine learning (ML) models across multiple devices. Currently, there are several large-scale deployments of DFL in the industry, such as Android GBoard's next-word prediction, and Siri's speaker identification. A motivation for these deployments is the aspiration of training powerful models while ensuring privacy and data minimization. A motivation for DFL is the aspiration of training powerful machine learning models while ensuring, or at least partially providing, data minimization and privacy of the individuals involved. In some embodiments, mechanisms are applied to SFL, DFL, and other methods of FL.

However, ML models have been shown to exhibit disparate performance across groups, often falling short for people from marginalized groups, in the domains of vision, natural language processing, and healthcare; and, more recently, these performance disparities have also been observed in DFL. The challenge of disparate performance and, therefore, disparate impact, is relevant also for models trained with federated learning.

Performance disparities may be harmful beyond merely the individual's experience of worse quality of service. For example, a greater false positive rate of Alexa's wake-word detection on a group may lead to over-surveillance of that group, as a false activation may record unrelated speech and send it to the cloud for further processing. Some non-federated speech recognition models may perform worse when interpreting voices of women and people of non-white ethnicities. When, for example, a wake-word is incorrectly detected, samples of unrelated speech may be sent to a server for speech recognition. In some current implementations, mistaken activations may result in up to a minute of speech recording being uploaded to the cloud. Thus, apart from worse user experience, members of these groups may be subject to more surveillance. In another example, by default a browser may preemptively resolve the domain name for the URL bar autocompletes. When used in conjunction with a DFL system, groups that have worse ranking recommendations resolve irrelevant domain names, and thus may unnecessarily be more exposed to network adversaries. Further, in applications of DFL to the security domain, such as authentication, a performance disparity may lead to a lower security level for certain groups.

Overall, DFL has enormous traction in industry and academia and, if it were to become a de-facto data minimization or privacy standard for much of ML, as current trends suggest, an unknown performance disparity dependent on a demographic group may have tremendous negative consequences in many application domains. None of which is to suggest that any technique suffering to some degree from these issues is disclaimed or that any other subject matter is disclaimed.

One challenge in detecting and mitigating disparate performance of a DFL model is that access to information about the attributes related to group membership is often limited or noisy. Regulations, such as the GDPR in the EU, may mandate that protected attributes, such as gender or race, be collected only under appropriate privacy protections and explicit informed consent. In addition, without adequate privacy protection, volunteers who are members of stigmatized groups may be more likely to provide a false group membership, which can add noise to the collected attributes.

Some ML approaches attempt to reconcile the goals of protecting the privacy of group membership and mitigation of performance disparity by engaging a third-party in the collection of the protected attributes, use of secure multi-party computation, and ensuring differential privacy of the attributes. In some instances, disparity may be mitigated on a model that is used to make decisions about individuals (e.g., a model which receives data from multiple individuals), whereas DFL models may be distributed to clients for use on their own data (e.g., may make decisions based on data from a user on the user's own device). Credit score prediction models are an example of the former, and wake-word detection models, an example of the latter. Due to this distinction, the fairness definitions used by previously employed techniques may not be relevant for these DFL applications. In some embodiments, a measure of unfairness determined by the difference in the performance of the global model across groups of clients may be determined instead, where this may be an informative metric about the disparate performance of DFL models. Again, none of which is to suggest that any subject matter is disclaimed.

In some embodiments, the seemingly incompatible goals of ensuring group membership privacy and mitigating performance disparity may be reconciled via local differential privacy (LDP). In some embodiments, LDP mechanisms may allow performance disparities to be measured while protecting the privacy of the attributes that define group membership. To compare the mechanisms over a range of privacy levels, number of clients, and group sizes, measurement error such mechanisms induce may be characterized as a function of the privacy budget. In some embodiments, privacy budget allocations may be found that minimize the error under a privacy constraint.

For some embodiments, theoretical analysis may show that the mechanisms may ensure strong privacy guarantees while the measurement error may be relatively low for typical numbers of clients in a DFL setting. In some embodiments, the aggregator of the models, or even a regulatory agency may identify cases of performance disparity in applications where such disparity is undesirable or harmful for some of the groups.

In some embodiments, contributions towards the private measurement of demographic disparities in the performance of FL models may include:

-   -   In some embodiments, local differential privacy mechanisms may         provide strong privacy guarantees on the group membership while         enabling measurements of the difference in a DFL model's mean         performance between demographic groups. These mechanisms may         also protect the federated model's performance on the user's         data, which may be correlated with group membership.     -   In some embodiments, an analysis of the mechanisms over a wide         range of privacy levels, number of clients, and group sizes may         be performed. To draw a comparison between the mechanisms, a         characterization of their measurement error as a function of the         privacy budget, and findings of the budget allocation that         minimizes this error under a privacy constraint may be made.     -   In some embodiments, the trade-offs between privacy and utility         that the operator of the mechanisms has to make are determined         (e.g., quantitatively, qualitatively, etc.). In some         embodiments, mechanisms that can enable mitigation strategies to         promote equal model performance across groups in the DFL setting         may be provided. Aspects indicate that existing DFL deployments         may be able to afford the privacy budgets required by a         high-accuracy measurement with strong privacy guarantees.     -   Trade-offs for some embodiments are evaluated on data         synthetically generated from a real-world dataset. In some         embodiments, the results show that the theoretical bounds not         only hold, but are significantly more conservative than the         empirical errors, indicating that, in practice, the measurements         may be more accurate at the same privacy level.

In addition, in some embodiments, a real-world activity detection dataset is used to generate synthetic data and evaluate the error of the mechanisms for a realistic number of clients.

Techniques described herein may be further explicated by reference to “You Can't Fix What You Can't Measure”: Privately Measuring Demographic Performance Disparities in Federate Learning, 11 Jan. 2023, https://arxiv.org/abs/2206.12183v1, the entire contents of which is hereby incorporate by reference in its entirety.

Differential Privacy

Differential Privacy (DP) is a privacy technique that bounds the amount of individual information that an adversary can infer from the data. In some embodiments, two main DP trust models—the central and the local model—may be used. The central model may assume a trusted curator that holds a dataset and enforces the DP guarantee on queries performed by external entities. By contrast, in the local model the individuals protect their inputs with DP before sharing them. The local model may not need a curator but may require larger perturbations than the central model for the same privacy guarantee, thus incurring greater error on the utility of the statistics. The local model may better suited for cross-device federated learning (DFL), as it may be unclear who would play the role of a curator in the existing deployments of DFL. In addition, the high number of clients in the typical DFL setting may attenuate the privacy-induced error of an LDP mechanism while eliminating the need for a trusted third-party.

ϵ-Local Differential Privacy (ϵ-LDP)

Hereinafter, ϵ-Local Differential Privacy (ϵ-LDP) may describe a randomized mechanism

: D→R, which may satisfy ϵ-LDP where ϵ>0 if, and only if, for any pair of inputs v, v′∈D and for all y∈R Equation 1 holds.

$\begin{matrix} {\frac{\Pr\left\lbrack {{\mathcal{M}(v)} = y} \right\rbrack}{\Pr\left\lbrack {{\mathcal{M}\left( v^{\prime} \right)} = y} \right\rbrack} \leq e^{\epsilon}} & (1) \end{matrix}$

where ϵ is the privacy budget, Pr is the probability,

is the mechanism by which an input (e.g., v) is mapped to an output (e.g., y), and the probabilities are taken over the randomness of

.

One of the simplest LDP mechanisms may be Randomized Response (RR). RR was designed to provide plausible deniability to survey respondents. For a binary protected attribute, RR may return the true value with probability a and give the opposite value otherwise (e.g., with probability 1−α). Generalized RR (GRR) may extend RR to a non-binary protected attribute by uniformly distributing the probability of giving a different value.

The GRR Mechanism

The GRR mechanism: For x∈{0, . . . , d}, d≥1, and

${a \in \left\lbrack {\frac{1}{2},1} \right\rbrack},$

the GRR mechanism, M_(GRR), may be given by Equation 2, below:

$\begin{matrix} {{\Pr\left\lbrack {{\mathcal{M}_{GRR}\left( {{x;d},a} \right)} = y} \right\rbrack}:=\left\{ \begin{matrix} a & {{{if}y} = x} \\ \frac{1 - a}{d - 1} & {{{if}y} \neq x} \end{matrix} \right.} & (2) \end{matrix}$

If

${a = \frac{e^{\epsilon}}{e^{\epsilon} + d - 1}},$

M_(GRR) may be ϵ-LDP, and when d=2, M_(GRR) is the binary RR mechanism.

Federated Learning

FL may allow many clients, each with its own dataset, to train a model on the union of all datasets, without any dataset having to leave its client's device. The training may be distributed over the clients, who train local models on their datasets. The clients may then share the local models' parameters with a central aggregator, who may average them to obtain the parameters of the global model.

There are different types of FL depending on who the clients are. In some embodiments, mechanisms may be focused on cross-device FL (DFL), where clients run on different devices (e.g., smartphones) and the training data usually belongs to the same user. DFL may be becoming increasingly popular in the Big Tech industry.

Motivated by the harms of disparate performance of the global model in DFL, the notion of unfairness may be considered in the DFL setting, which may be the disparate performance across groups of clients with the groups defined by a demographic attribute, such as sex or race.

Formally, an attribute may be a set

={0, . . . , d}, with d≥1, that induces a partition of the clients,

={G₀, . . . , G_(d)}. There may be K clients and (g_(k),v_(k)) may denote the values of the attribute (g_(k)∈

) and the performance of the model for client k, respectively. The client may obtain v_(k) (e.g., the performance of the model for themself) by evaluating the global model on a fraction of their data. The choice of an appropriate performance metric may depend on various factors, such as the learning task and the potential harms in a particular application.

Group Mean Performance

The mean performance of a group G∈

may be

${m_{G}:={\frac{1}{n}{\sum}_{i = 1}^{n}v_{i}}},$

where n=|GI|. To quantify the difference in performance between any two groups, the absolute difference between the mean performances of the global model on the groups may be measured.

Performance Gap

The performance gap between any two A, B∈

is defined by Δm:=|m_(A)−m_(B)|. The difference in performance between any two partitions may be given by the absolute value of the difference between the mean performances of the given partitions.

This notion of (un)fairness may be in contrast with traditional fairness definitions that measure model performance on individual predictions. Previous definitions may be suitable for scenarios where data points represent people and each single prediction concerns an individual (e.g., credit score prediction). However, these definitions may not be suited for the notion of (un)fairness where a data point may represent a group and the model may have different performance levels for different groups. In the typical DFL setting, the global model is distributed to the clients for use on their own data and they are not necessarily the subjects of the predictions. Disparate performance of the global model across groups of users may lead to a disparate impact; in some embodiments, the performance gap may be used to capture this disparity across groups.

Adversary Model

In some embodiments, it may be assumed that the entity performing the measurements of the performance gap is the FL aggregator. In some embodiments, the mechanisms may also be used by an external entity, such as a regulatory agency or a public interest auditor. As is true in some popular DFL deployments, in some embodiments, it may be assumed that the aggregator uses Secure Aggregation. Therefore, in some embodiments, the aggregator may not infer information from the FL updates about the users' protected attributes.

Both the group and the model performance value may contain privacy-sensitive information (the group—because it corresponds to an attribute such as race; the performance—because of the potential correlation with the group). Thus, in some embodiments, the clients may apply an LDP mechanism,

, on their group-value tuples before sending them to the aggregator. A perturbed tuple (e.g., a tuple on which the LDP mechanism

has been applied) may be denoted by (g_(k)′, v_(k)′):=

(g_(k), v_(k)). From a privacy perspective, in some embodiments, it may be assumed that the aggregator follows the protocol as intended but may try to learn g_(k) or v_(k) from (g_(k)′,v_(k)′).

In some embodiments, an answer to the following question is sought: how can the aggregator measure the performance gap while protecting the privacy of the clients' (g_(k), v_(k)) tuples with an LDP mechanism? To address this question, LDP mechanisms may be designed and the tradeoffs they impose in terms of their privacy guarantees and the error they induce in a measurement may be studied. In some embodiments the number of clients of current DFL deployments may be sufficient to allow for low-error and high-privacy measurements with the mechanisms described herein.

Measuring the Performance Gap

Since the performance gap may be the absolute difference of two group mean performances, private group mean estimation may first be performed and then the privacy guarantees may be shown to hold when combining them into a performance gap estimation.

A major distinction between group mean estimation and population mean estimation may be that, in estimating a group mean performance, the performance may be correlated with the group—especially, if there is a gap (e.g., in performance between groups). In that case, an adversary may be able to learn group information from observing the performance.

In some embodiments, a successful mechanism may protect both group and performance values. A naïve approach is to protect both independently, but that may destroy the necessary information to measure the gap. Thus, in some embodiments, the mechanisms described herein are designed to preserve the overall aggregate correlation between the group and the performance values, while preventing inference of the group that an individual client belongs to from the perturbed tuples.

In some embodiments, the mechanisms may use

_(GRR) to perturb the group values. Perturbing the group with GRR may provide plausible deniability for group membership. As a result, clients may have less incentives to lie, as they may always claim that the mechanism assigned them to a different group.

In some embodiments, two mechanisms that differ by how they perturb the performance values are used.

The

_(R) Mechanism

After perturbing the group (line 1 in Algorithm 1),

_(R) may discretize the value with Harmony's discretization (lines 3-5) and then may apply GRR on the discretized value (line 6). The Harmony discretization may allow for unbiased estimates of the expected value from the discretized values. The mechanism may set to zero the performance value of the clients who flip their group (line 2). This may ensure that they do not contribute to the other group's mean performance value.

Algorithm 1: Pseudocode of the privacy mechanism: M_(R) Input: The client's group g ∈ {0, 1} and performance value v ∈ [−1, 1]. The privacy budgets ϵ₁, ϵ₂ ∈ [0, +∞) Output: The perturbed tuple: (g′, v′), g′ ∈ {0, 1} and performance value v′ ∈ {−1, 1}. 1 $\left. g^{\prime}\leftarrow{{M_{GRR}\left( {{g;d},\frac{e^{\epsilon_{1}}}{e^{\epsilon_{1}} + d - 1}} \right)}//{Perturb}{the}{group}} \right.$ 2 if g ≠ g′ then 3  |v ← 0 // The performance distribution of the other group is unknown 4 end ${{Draw}{}B} \sim {{Bernoulli}{}\left( \frac{1 + v}{2} \right)}$ 6 $\left. v^{\prime}\leftarrow{{2*{M_{GRR}\left( {{B;2},\frac{e^{\epsilon_{2}}}{1 + e^{\epsilon_{2}}}} \right)}} - 1} \right.//{{Perturb}{the}{value}{and}}$ transform 7 return (g′, v′) The

_(L) Mechanism

_(L) may be identical to

_(R) except that instead of applying GRR to perturb the values, it may use the Laplace mechanism. For continuous values, the classic LDP mechanism may be the Laplace mechanism, which may draw noise from a Laplace distribution and adds it to the inputs. The scale of the noise may vary depending on whether the client's group has been perturbed. Clients whose group is flipped may not require as much noise to hide in the value distribution of the other group, as those values are also perturbed with Laplace noise. Thus,

_(L) uses a parameter k, 0<k≤2, that may allow fine-tuning of the scale of the Laplace distribution of the noise for the clients whose group was perturbed. In addition, the value of the clients performance value that switch to another group is set to zero, such that, like in

_(R), they do not contribute to that group's mean value.

Because the mechanisms are the composition of the GRR and the Laplace mechanisms, they may have two privacy budget parameters: ϵ₁ and ϵ₂, the privacy budget to protect the group and the performance values, respectively.

In some embodiments, the mechanisms may achieve ϵ-LDP for an overall privacy budget ϵ.

_(R) is ϵ-LDP with ϵ=max{ϵ₁, ϵ₂}.

In some embodiments, it may be shown that

_(R) is ϵ-LDP with ϵ=max{ϵ₁, ϵ₂}. For simplicity, two parameters depending on privacy budgets may be used where

$a = {{\frac{e^{\epsilon_{1}}}{e^{\epsilon_{1}} + d - 1}{and}b} = {\frac{e^{\epsilon_{2}}}{1 + e^{\epsilon_{2}}}.}}$

Input to the mechanism may be denoted using two different inputs x₀=(g₀, v₀) and x₁=(g₁, v₁), while an output of the mechanism may be denoted y=(g′, v′). For an arbitrary input x=(g, v), the probability is then given by Equation 3, below:

$\begin{matrix} {{P{r\left\lbrack {y{❘x}} \right\rbrack}} = \left\{ \begin{matrix} \frac{a\left( {1 + {\left( {{2b} - 1} \right)v^{\prime}v}} \right.}{2} & {{{if}g^{\prime}} = g} \\ \frac{1 - a}{2\left( {d - 1} \right)} & {{{if}g^{\prime}} \neq g} \end{matrix} \right.} & (3) \end{matrix}$

In some embodiments, this may be shown for d=1, where the case d>2 may be shown analogously.

Since v∈[−1,1] and v′∈{−1,1}, an upper bound of Pr[y|x] when g′=g is given by Equation 4:

Pr[y|x]≤ab  (4)

and a lower bound is given by Equation 5:

Pr[y|x]≥a(1−b)  (5)

This may give a bound for Pr[y|x₀]/Pr [y|x₁], where x₀ and x₁ differ in either group or value. If they have the same group but may (or may not) differ in value, the bound may be considered for two cases: g′=g and g′≠g (where g=g₀=9i)

-   -   Case 1: g′=g. Using the upper and lower bounds, Equation 6 may         be obtained:

$\begin{matrix} {{\frac{P{r\left\lbrack {y{❘x_{0}}} \right\rbrack}}{P{r\left\lbrack {y{❘x_{1}}} \right\rbrack}} \leq \frac{ab}{a\left( {1 - b} \right)}} = e^{\epsilon_{2}}} & (6) \end{matrix}$

-   -   Case 2: g′≠g. Using the probability of Pr[y|x₁] when g′≠g,         Equation 7 may be obtained:

$\begin{matrix} \left. {{\frac{P{r\left\lbrack {y{❘x_{0}}} \right\rbrack}}{P{r\left\lbrack {y{❘x_{1}}} \right\rbrack}} = {1 \leq e^{\epsilon_{2}}}},{{{as}\epsilon_{2}} \in \left\lbrack {0,{+ \infty}} \right.}} \right) & (7) \end{matrix}$

These Equations may show that if the inputs have the same group, the differential privacy guarantee may become the guarantee of the value-perturbing GRR mechanism.

If x₀ and x₁ differ in group, the analysis may again be broken down into two cases: g=g₀≠g₁ and g=g₁≠g₀.

-   -   Case 1: g=g₀≠g₁. Using the upper and lower bounds and taking         ϵ₂=0 as the minimum value for the denominator, Equation 8 may be         obtained:

$\begin{matrix} {{\frac{P{r\left\lbrack {y{❘x_{0}}} \right\rbrack}}{P{r\left\lbrack {y{❘x_{1}}} \right\rbrack}} \leq \frac{2ab}{1 - a}} = {\frac{2e^{\epsilon_{2} + \epsilon_{1}}}{1 + e^{\epsilon_{2}}} \leq e^{\epsilon_{1}}}} & (8) \end{matrix}$

-   -   Case 2: g=g₁≠g₀. Using the lower bound and that 1≤e^(ϵ) ² as the         minimum value for the denominator, Equation 9 may be obtained:

$\begin{matrix} {{\frac{P{r\left\lbrack {y{❘x_{0}}} \right\rbrack}}{P{r\left\lbrack {y{❘x_{1}}} \right\rbrack}} \leq \frac{1 - a}{2{a\left( {1 - b} \right)}}} = {{\frac{1 + e^{\epsilon_{2}}}{2e^{\epsilon_{1}}} \leq \frac{2e^{\epsilon_{2}}}{2e^{\epsilon_{1}}}} = e^{\epsilon_{2} - \epsilon_{1}}}} & (9) \end{matrix}$

By combining the equations above, it may be concluded that

_(R) is ϵ-DP with ϵ=max{ϵ₁, ϵ₂, ϵ₁−ϵ₂}=max{ϵ₁, ϵ₂} and, thus, the optimal privacy budget allocation may be ϵ₁=ϵ₂=ϵ

The mechanism

_(L) is ϵ-LDP with a privacy budget E given by Equation 10:

$\begin{matrix} {\epsilon = {\max\left\{ {\epsilon_{2},{{\ln\left( \frac{2}{k} \right)} + \frac{\epsilon_{2}}{2} - \epsilon_{1}},{{\ln\left( \frac{2}{k} \right)} + \frac{\epsilon_{2}}{2} + \epsilon_{1}}} \right\}}} & (10) \end{matrix}$

In some embodiments, it may be shown that Equation 10 holds. For example, for k=2, although this may also hold for other values of k. Input to the mechanism may be denoted using two different inputs x₀=(g₀ v₀) and x₁=(g₁, v₁), while an output of the mechanism may be denoted y=(g′, v′). Because

_(L) perturbs the values with Laplacian noise, for an arbitrary input x=(g, v), the probability may be given by Equation 11, below:

$\begin{matrix} {{P{r\left\lbrack {y{❘x}} \right\rbrack}} = \left\{ \begin{matrix} {\frac{e^{\epsilon_{1}}}{e^{\epsilon_{1}} + d - 1}{f_{{Lap}{({0,\frac{2}{e_{2}}})}}\left( {v - v^{\prime}} \right)}} & {{{if}g^{\prime}} = g} \\ {\frac{1}{e^{\epsilon_{1}} + d - 1}{f_{{Lap}{({0,\frac{2}{e_{2}}})}}\left( v^{\prime} \right)}} & {{{if}g^{\prime}} \neq g} \end{matrix} \right.} & (11) \end{matrix}$

This may be because when the mechanism preserves the group, v′=v+Y where

${Y \sim {{Lap}\left( {0,\frac{2}{\epsilon_{2}}} \right)}},$

hence the probability of the new value is the probability of sampling v′−v from the Laplace distribution with zero mean and scale of

$\frac{2}{\epsilon_{2}}.$

When the group is flipped, the mechanism sets v to zero, therefore in that case it is the probability of sampling v′ from

${Lap}\left( {0,\frac{k}{\epsilon_{2}}} \right)$

As shown for

_(R), this can be shown using case-based reasoning. If x₀ and x₁ have the same group but differ in value, two cases g′=g and g′≠g may be considered.

-   -   Case 1: g′=g.

$\begin{matrix} {\frac{P{r\left\lbrack {y{❘x_{0}}} \right\rbrack}}{P{r\left\lbrack {y{❘x_{1}}} \right\rbrack}} = {\frac{f_{{Lap}{({0,\frac{2}{e_{2}}})}}\left( {v^{\prime} - v_{0}} \right)}{f_{{Lap}{({0,\frac{2}{e_{2}}})}}\left( {v^{\prime} - v_{1}} \right)} = {e^{\epsilon_{2}({\frac{❘{v^{\prime} - v_{1}}❘}{2} - \frac{❘{v^{\prime} - v_{0}}❘}{2}})} \leq e^{\epsilon_{2}}}}} & (12) \end{matrix}$

-   -   Case 2: g′≠g.

$\begin{matrix} {\frac{P{r\left\lbrack {y{❘x_{0}}} \right\rbrack}}{P{r\left\lbrack {y{❘x_{1}}} \right\rbrack}} = {\frac{f_{La{p({0,\frac{2}{e_{2}}})}}\left( v^{\prime} \right)}{f_{La{p({0,\frac{2}{e_{2}}})}}\left( v^{\prime} \right)} = 1}} & (13) \end{matrix}$

If x₀ and x₁ differ in group, two additional cases g=g₀≠g₁ and g=g₁≠g₀ may be considered.

-   -   Case 1: g=g₀≠g₁:

$\begin{matrix} {{\frac{P{r\left\lbrack {y{❘x_{0}}} \right\rbrack}}{P{r\left\lbrack {y{❘x_{1}}} \right\rbrack}} \leq \frac{\frac{e^{\epsilon_{1}}}{e^{\epsilon_{1}} + d - 1}{f_{La{p({0,\frac{2}{e_{2}}})}}\left( {v^{\prime} - v_{0}} \right)}}{\frac{e^{\epsilon_{1}}}{e^{\epsilon_{1}} + d - 1}{f_{La{p({0,\frac{2}{e_{2}}})}}\left( v^{\prime} \right)}}} = {e^{\epsilon_{1} + {\epsilon_{2}({\frac{❘{v\prime}❘}{2} - \frac{❘{v^{\prime} - v_{0}}❘}{2}})}} \leq e^{\epsilon_{1} + \frac{\epsilon_{2}}{2}}}} & (14) \end{matrix}$

where the last inequality follows from

${\frac{❘v^{\prime}❘}{2} - \frac{❘{v^{\prime} - v_{0}}❘}{2}} \leq {\frac{1}{2}.}$

-   -   Case 2: g=g₁≠g₀:

$\begin{matrix} {\frac{P{r\left\lbrack y \middle| x_{0} \right\rbrack}}{P{r\left\lbrack y \middle| x_{1} \right\rbrack}} = {e^{{\epsilon_{2}({\frac{❘{v^{\prime} - v_{1}}❘}{2} - \frac{❘v^{\prime}❘}{2}})} - \epsilon_{1}} \leq e^{\frac{\epsilon_{2}}{2} - \epsilon_{1}}}} & (15) \end{matrix}$

where the last inequality follows from the triangle inequality:

${\frac{❘{v^{\prime} - v_{1}}❘}{2} - \frac{❘v^{\prime}❘}{2}} \leq \frac{❘v_{1}❘}{2} \leq {\frac{1}{2}.}$

Finally, combining all the inequalities above (e.g., Equations 12-15), the E in the bound of the probability ratio may be found as Equation 16, below:

$\begin{matrix} {\epsilon = {{\max\left\{ {\epsilon_{2},{\frac{\epsilon_{2}}{2} - \epsilon_{1}},{\frac{\epsilon_{2}}{2} + \epsilon_{1}}} \right\}} = {\max\left\{ {\epsilon_{2},{\frac{\epsilon_{2}}{2} + \epsilon_{1}}} \right\}}}} & (16) \end{matrix}$

Thus, the optimal budget allocation for mechanism

_(L) with k=2 may be ϵ₂=Σ and

$\epsilon_{1} = \frac{\epsilon}{2}$

These bounds may be tighter than the ones obtained with the basic theorem on sequential composition of DP mechanisms. The tightness of the LDP bound may be important to provide an upper bound for the privacy of the mechanism, when comparing it with other mechanisms, as well as quantifying the privacy vs. utility tradeoff.

Performance Evaluation

In some embodiments, to measure the privacy-induced error, the measurement may be treated as an estimator of m_(G) under the randomness of the mechanisms. A key metric of the quality of an estimator is its Mean Squared Error (MSE), as it may capture the error due to both the estimator's variance and its bias. Based on a showing that the estimators are unbiased, their MSEs may be compared by simply comparing their variance. Further, knowing the estimators' variance allows probabilistic bounding of the distance between a performance gap measurement and its true value as a function of the number of clients, which is informative to assess the feasibility of the mechanisms in a DFL setting.

The estimators that the operator may use to estimate m_(G) from the perturbed group-performance tuples are as follows.

Estimators of m_(C)

The estimators for the mechanisms may be given by Equation 17, below:

$\begin{matrix} {{\overset{\sim}{m}}_{G}^{L}:={{\frac{1}{an}{\sum}_{j = 1}^{n^{\prime}}v_{j}^{\prime}{and}{\overset{\sim}{m}}_{G}^{R}}:={\frac{1}{{a\left( {{2b} - 1} \right)}n}{\sum}_{j = 1}^{n^{\prime}}v_{j}^{\prime}}}} & (17) \end{matrix}$

where

${a = {{\frac{e^{\epsilon_{1}}}{e^{\epsilon_{1}} + d - 1}{and}b} = {\frac{e^{\epsilon_{2}}}{1 + e^{\epsilon_{2}}}.}}},$

n=|G|, and n′ is the number of clients in group G after the mechanism's perturbation.

The estimators of the mechanisms may be unbiased, such that:

[{circumflex over (m)}_(G) ^(L)]=

[{circumflex over (m)}_(G) ^(R)]=m_(G).

In some embodiments, it may be shown that {circumflex over (m)}_(G) ^(L) is unbiased. Analogously, it may also be shown that {circumflex over (m)}_(G) ^(R) is unbiased.

In some embodiments, values in G may be modeled after applying

_(L) with the mutually independent random variables, such as shown in Equations 18 and 19:

V _(i) =B _(i)(v _(i) +Y _(i)), i=1, . . . ,n  (18)

V _(j) =B _(j)(0+ Y _(j))= B _(j) Yj, j=1, . . . ,K−n  (19)

where V_(i) and V _(j) are the final, perturbed values in group G that originate from group G and G, respectively. The bar may denote that the random variable relates to group G, the complement of G. The random variables B_(i)˜Bernoulli(a) and B _(j)˜Bernoulli(1−a) may model

_(RR), and Y_(i)˜Lap(0, 2/ϵ₂), and Y _(j)˜Lap(0, k/ϵ₂), may model

_(Lap). Thus, the expected value of the estimator may be given by Equations 20-25

$\begin{matrix} \begin{matrix} {{{\mathbb{E}}\left\lbrack {\overset{\hat{}}{m}}_{G}^{L} \right\rbrack} = {\frac{1}{an}\left( {{\sum\limits_{i = 1}^{n}{{\mathbb{E}}\left\lbrack V_{i} \right\rbrack}} + {\sum\limits_{i = 1}^{K - n}{{\mathbb{E}}\left\lbrack \overset{¯}{V_{j}} \right\rbrack}}} \right)}} & {{Linearity}{of}{\mathbb{E}}} \end{matrix} & (20) \end{matrix}$ $\begin{matrix} \begin{matrix} {= {\frac{1}{an}\left( {\sum\limits_{i = 1}^{n}{{\mathbb{E}}\left\lbrack {B_{i}\left( {v_{i} + Y_{i}} \right)} \right\rbrack}} \right)}} & {{{\mathbb{E}}\left\lbrack \overset{¯}{V_{i}} \right\rbrack} = 0} \end{matrix} & (21) \end{matrix}$ $\begin{matrix} \begin{matrix} {= {\frac{1}{an}{\sum\limits_{i = 1}^{n}{{{\mathbb{E}}\left\lbrack B_{i} \right\rbrack}\left( {v_{i} + {{\mathbb{E}}\left\lbrack Y_{i} \right\rbrack}} \right)}}}} & {{Mutual}{independence}} \end{matrix} & (22) \end{matrix}$ $\begin{matrix} \begin{matrix} {= {\frac{1}{an}{\sum\limits_{i = 1}^{n}{{{\mathbb{E}}\left\lbrack B_{i} \right\rbrack}v_{i}}}}} & {{{\mathbb{E}}\left\lbrack Y_{i} \right\rbrack} = 0} \end{matrix} & (23) \end{matrix}$ $\begin{matrix} \begin{matrix} {= {\frac{1}{an}{\sum\limits_{i = 1}^{n}v_{i}}}} & {{{\mathbb{E}}\left\lbrack B_{i} \right\rbrack} = a} \end{matrix} & (24) \end{matrix}$ $\begin{matrix} {= m_{G}} & (25) \end{matrix}$

In some embodiments,

[V _(j)]=0 because E[V _(j)]=0 and that the random variables may be mutually independent.

In some embodiments, it may be shown that estimators themselves are unbiased. A closed-form expressions of their variance may be obtained, hence their MSE.

Using a probabilistic model (as described in Equations 18 and 19), a variance of the estimator {circumflex over (m)}_(G) ^(L) may be determined as shown in Equation 26:

$\begin{matrix} {{{Var}\left\lbrack {\overset{\hat{}}{m}}_{G}^{L} \right\rbrack} = {\frac{1}{a^{2}n^{2}}{{Var}\left\lbrack {{\sum\limits_{i = 1}^{n}{\left( {v_{i} + Y_{i}} \right)B_{i}}} + {\sum\limits_{j = 1}^{K - n}{{\overset{\_}{Y}}_{j}{\overset{\_}{B}}_{j}}}} \right\rbrack}}} & (26) \end{matrix}$

The noise terms may have positive variance and therefore do not cancel out. In some embodiments, the fact that the variables are mutually independent may be used to write the variance of the sum as the sum of variances. The variances of products may then be obtained and may be used with well-known formula for the variance of the product of two independent random variables. Rearranging the terms gives the closed expression of the variance as shown in Equation 27:

$\begin{matrix} {{{Var}\left\lbrack {\overset{\hat{}}{m}}_{G}^{L} \right\rbrack} = {\frac{1}{n}\left( {{v^{2}e^{- \epsilon_{1}}} + {\left( {1 + e^{- \epsilon_{1}}} \right)\left( {\sigma_{L}^{2} + {\frac{K - n}{n}{\overset{\_}{\sigma}}_{L}^{2}e^{- \epsilon_{1}}}} \right)}} \right)}} & (27) \end{matrix}$

where

${v^{2} = {\frac{1}{n}{\sum}_{i = 1}^{n}v_{i}^{2}}},$

and σ_(L) ²,σ _(L) ² are the variances of the Laplace noise distributions (functions of ϵ₂), for clients who do not swap and those who do, respectively. The lower and upper bounds as shown in graph 100 of FIG. 1 are taken using that 0≤v²≤1

The closed-form expression of {circumflex over (m)}_(G) ^(R)'s variance may be obtained similarly, and is given by Equation 28:

$\begin{matrix} {{{Var}\left\lbrack {\overset{\hat{}}{m}}_{G}^{R} \right\rbrack} = {\frac{1}{{a\left( {{2b} - 1} \right)}^{2}n}\left( {1 - {{a\left( {{2b} - 1} \right)}^{2}v^{2}} + {\frac{K - n}{n}\frac{1 - a}{a}}} \right)}} & (28) \end{matrix}$

where a and b are functions of the privacy budgets as previously described.

Δ{circumflex over (m)}* is an unbiased estimator of Δm for the two groups G, G∈

with MSE given by Equation 29.

MSE[Δ{tilde over (m)}*]=MSE[{tilde over (m)} _(G)*]+MSE[{tilde over (m)} _(G) *]  (29)

This is based on the unbiasedness of Δ{circumflex over (m)}*. Due to the unbiasedness of {circumflex over (m)}_(G) ^(L) and the linearity of expectation, the expected value of Δ{circumflex over (m)}* is Δm. Assuming that G is the advantaged group and thus {circumflex over (m)}_(G)*≥{circumflex over (m)} _(G) *, this means that

[|m_(G)*−m _(G) *|]=|m_(G)−m _(G) |.

To show that the variance of Δ{circumflex over (m)}* is the sum of the variance of the mean group value estimators, it sufficies to show that Cov({circumflex over (m)}_(G)*, {circumflex over (m)} _(G) *)=0, which is true if, and only if,

[m_(G)*m _(G) *]=m_(G)m _(G) . By calculating the value of that expectation explicitly, it is observed that many of its terms have an independent Laplace r.v. as a factor and, consequently, these terms become zero. Finally, Bienaymé's identity may be applied to obtain the result shown in Equation 29.

The proof for

_(L) is similar, as the expected value of clients with the group perturbed is zero.

In some embodiments, even though {tilde over (m)}_(G)* and {tilde over (m)} _(G) * are not independent, the errors are uncorrelated, and thus they may add up. Therefore, a closed-form expression of the MSE of Δm may be obtained by adding the closed-form expressions of the group MSEs.

MSE for a Fixed Privacy Budget

As shown previously, the privacy budgets ϵ₁ and ϵ₂ have a different impact on the LDP bound of the mechanism. In some embodiments, to draw a fair comparison between the mechanisms, the parameters that minimize the error on utility for a fixed overall privacy budget ϵ may be found. Using the closed-form expression of the MSE of Δ{circumflex over (m)}*, the estimators for specific values of ϵ₁ and ϵ₂ may be compared. In some embodiments, it may be unclear a priori how to divide a fixed privacy budget into the mechanism's group and performance components to maximize utility. In some embodiments, an allocation that minimizes the MSE of the estimators may be found, for the total privacy budget of the mechanism (ϵ).

Comparison of the Mechanisms

In FIG. 1 , MSE of the performance gap estimator for two groups G and G of the same size is plotted.

_(L) opt. and

_(R) opt. are the mechanisms with optimal parameters. Since the specific set of v_(k)'s has an impact on the MSE, in the graph the lower and upper bounds for each mechanism are shown, which enclose a (colored) region of MSEs.

In the example depicted,

_(L) opt. achieves lower MSE than

_(L) with k=2 for the range of ϵ shown.

_(R) opt.'s MSE is lower than

_(L) opt. only when 0.31≲ϵ≲2.6 but, for ϵ≳2.6 the upper bound of

_(R) opt.'s MSE is larger than the upper bound of

_(L) opt.'s and the gap between the two rapidly widens for larger privacy budgets. As a consequence, there is no overall best mechanism and the operator should select the one that best suits their budget.

Unbalanced Groups

In some embodiments, the impact that an unbalance of group sizes has on the MSE of the estimators is studied. FIG. 2 depicts the upper bounds of the MSEs,

_(R) opt. (left) in graph 200 and

_(L) in graph 210 with k=2 (right), for two groups with different size ratios. As shown, the mechanisms can cope with relatively small groups, but the MSE rapidly grows for minorities that account for less than 1% of the clients. Consequently, the mechanisms would incur high MSE with protected attributes that include small minorities, but would maintain low MSEs for protected attributes like gender and race.

In some embodiments, it has been assumed that the entity performing the measurements knows n. FIG. 2 also quantifies the difference of the mechanisms' MSE when the operator incorrectly estimates the group fractions. For example, when the groups are balanced and the estimate of the group fractions has a relative error of up to 50%, the difference in the MSE values (i.e., the difference between the bold and dotted lines) may be insignificant. This means that the assumption of knowing n may be relaxed in practice to a large extent.

Precision Relative to the Number of Clients

In some embodiments, the mechanisms may allow for high-precision measurements with realistic numbers of clients in the DFL setting. Using Equation 29, a Chebyshev concentration bound may be found and the privacy budget E may be found numerically such that |Δm_(G)*−Δm|<α, for a small α>0, with high probability.

TABLE 1 Minimum privacy budget (ϵ) required to bound the error by α, given K clients, with 0.99 probability. Highlighted are the ϵ's that are considered reasonable.

 _(R) opt.

 _(L) opt. α = α = α = α = α = α = K 10⁻¹ 10⁻² 10⁻³ 10⁻¹ 10⁻² 10⁻³ 10⁵ 1.86 — — 2.56 17.89 178.89 10⁶ 0.63 — — 0.71 6.32 56.57 10⁷ 0.23 1.86 — 0.21 2.56 17.89 10⁸ 0.08 0.63 — 0.07 0.71 6.32 10⁹ 0.02 0.23 1.86 0.02 0.21 2.56

Table 1 shows the minimum privacy budget required to ensure that the error is at most α for various values of α and numbers of clients K, with probability 0.99, for some embodiments. If the operator may afford a higher privacy budget, the bound may still hold but if their privacy budget is lower, the mechanism may not guarantee the bounds.

Due to

_(R)'s discretization step, the maximum estimator variance (attained when all the performance values are zero) tends to a constant (indirectly proportional to group size). Thus, there may be no budget that allows to achieve α for those cells marked with “−”.

These results show that the privacy budgets to achieve an error of less than one percentage point and less of one tenth of a percentage point may be reasonable for K≤10₇ and K≥10⁹ clients, respectively. Even though these may look like large numbers of clients, current DFL deployments have this many, and even more, clients. For example, in 2018 Apple reported a total of half a billion active Ski clients and, in the same year, Gboard surpassed 1 billion installs.

In some embodiments, these bounds may be evaluated on a real-world dataset of performances of a simulated FL deployment. In some embodiments, results show that the bounds not only hold but that they may be overly conservative: in practice, the operators of the mechanisms may be able to ensure the same privacy level by spending less privacy budget. The Chebyshev bounds are known to be loose because they do not make assumptions about the underlying distributions; consequently, tighter bounds may be found.

DP and Secure Multi-Party Computation (SMPC) rely on a third-party to detect and mitigate discrimination. Various DP versions of existing post- and in-processing techniques may be used to train classifiers that satisfy the Equalized Odds constraint. In some embodiments, the mechanisms may operate based on a notion of performance gap as it is more tailored for the DFL setting. In addition, a previous focus has been on mitigating the disparity assuming that it has occurred, while, in some embodiments, the measurement of the disparity is focused on rather than its mitigation.

In contrast to SMPC, the mechanisms described herein may have low computational and bandwidth costs, and may be more robust to client dropouts. Moreover, SMPC and DP provide different privacy guarantees; in particular, SMPC does not limit the information about individual group membership that the aggregator can infer from the measurements.

In some embodiments, the mechanisms described herein may allow the clients and the mechanism operator to measure the performance gap without the aggregator's collaboration.

With FL gaining traction in industry and academia, there is a growing concern that models trained with it will exhibit disparate performance across demographic groups, leading to harms ranging from a mere inconvenience to disparate impact, such as increased surveillance and lower online security for some of the groups. In some embodiments, the performance gap between demographic groups is considered as a notion of (un)fairness in the DFL setting, and the ability to measure it may be crucial towards addressing such harms. However, especially under the privacy aspirations of federated learning, lack of demographic data may hinder the applicability of existing techniques to measure performance disparities in DFL models. This may pose an obstacle to mitigating the harms; e.g., “we can't address what we can't measure.”

In some embodiments, to address the legal, societal, and individual concerns related to the privacy of demographic data, locally differentially private mechanisms are applied that estimate the performance gap while protecting the privacy of the group membership and potentially correlated data such as model performance. For some embodiments, theoretical and experimental results may show that the mechanisms ensure strong privacy guarantees while performing relatively precise performance gap measurements when relying on realistic numbers of clients in the DFL setting and reasonable privacy parameters. In some embodiments, the large scale of existing DFL deployments may offer a unique opportunity to measure and expose the potential disparities while guaranteeing strong privacy to the participants.

Allocating the Privacy Budget for the

_(L) Mechanism

Based on Equation 27, it can be seen that the variance of the unbiased estimator for

_(L) is dominated by ϵ₂. Therefore, since ϵ₁; ϵ₂, and k must satisfy Equation 10, the MSE may be minimized by first setting ϵ₂=ϵ and, then, finding the k that maximizes ϵ₁ under the LDP constraint in Equation 10.

So, if ϵ₂=ϵ in Equation 1, bounds for ϵ₁ can be obtained as shown in Equation 30, below.

$\begin{matrix} \left. {{{\ln\left( \frac{2}{k} \right)} - \frac{\epsilon}{2}} \leq \epsilon_{1} \leq {{\ln\left( \frac{2}{k} \right)} + {\frac{\epsilon}{2}{\lambda(k)}}}} \right) & (30) \end{matrix}$

where

${\lambda(k)} = {2{\left( {1 - \frac{1}{k}} \right).}}$

Thus, this inequality holds iff⅔≤k.

In order to find the k that maximizes ϵ₁, two cases may be considered: 0<ϵ<⅔, and ⅔≤ϵ.

If ⅔≤ϵ, ϵ₁ may be rewritten as the upper bound of ϵ in Equation 30, a function of k, and find that k=ϵ is a maximum for a constant ϵ. However, for 0<k<⅔, Equation 30 does not hold and hence k=ϵ would not satisfy ϵ-LDP. When 0<ϵ<⅔, k=⅔ may be used as the value of k, the minimum k that satisfies ϵ-LDP, as that may minimizes the scale of the Laplace noise. In that case, ϵ₁ may be equal to the upper and lower bounds in Equation 30.

Thus, the maximum ϵ₁ as a function of ϵ may be given by Equation 31, below, as:

$\begin{matrix} {\epsilon_{1} = \left\{ \begin{matrix} {{\ln\left( \frac{2}{\epsilon} \right)} + \epsilon - 1} & {{{if}\frac{2}{3}} \leq \epsilon} \\ {{\ln(3)} - \frac{\epsilon}{2}} & {{{if}0} < \epsilon < \frac{2}{3}} \end{matrix} \right.} & (31) \end{matrix}$

FIG. 3 shows the allocations of the privacy budgets that satisfy the LDP constraint (shaded area) in graph 300. The dashed and dotted borders of the area show the allocations that minimize the MSE for a total privacy budget of ϵ=ϵ₂∈(0,2] for k=2 and k=⅔, respectively. A closer look at the MSE contour lines reveals that the mechanism with k=⅔ achieves lower MSE values than for k=2 when ϵ<⅔.

Empirical Validation

For some embodiments, experiments have been run to validate the correctness of the expressions of the variance of the estimators. In the experiments, two groups were initialized with 10 clients each with fixed performance values. Then, the mechanisms were run a number of times to obtain sets of perturbed tuples and the performance gap estimates were calculated. The empirical MSE is the average of the squared differences between these estimates and the true performance gap. The empirical and theoretical MSE for mechanism

_(R) are plotted in graph 400 of FIG. 4 . It can be seen that, as the number of runs increases, the empirical MSE converges to the theoretical MSE, validating the results.

Empirical Evaluation

For some embodiments, the experiment were performed to evaluate the error of the mechanisms. Since public datasets with sufficient data to model a real-world deployment of DFL are difficult to obtain, a dataset was synthesized by fitting the marginal probability distributions of the protected attribute on a real-world dataset. For some embodiments, results show that the error of the mechanisms in the synthetic data may be orders of magnitude lower than the Chebyshev bounds—obtained as described in a previous section—indicating that an operator who uses the Chebyshev bounds may be overly conservative in their privacy risk assessment.

Data Generation

In some embodiments, a data generation model may be based on an activity detection dataset. The dataset comprises sensor readings for 14 subjects who were instructed to perform a number of scripted daily activities in two different rooms. The features include the sensor's readings of time, accelerometer position, and radio signal's strength, frequency, and phase. The labels describe one of these activities: sitting, lying down, or ambulating. In some embodiments, the detection task was binarized by relabeling the data to whether or not the subject was lying down.

In some embodiments, “sex” was selected as the protected attribute in the data. Although the sex of the subject was annotated per each trial-25 male and 62 female—there was no mapping between trials and subjects. Thus, it was assumed that each recorded session represents a different FL client, with each client having an average of 864 samples. In some embodiments, the data was stratified ensuring that clients have the same data distribution between training and test sets (70% of the samples for training and 30% for testing).

In some embodiments, federated learning of a model was simulated by training a logistic regression model. In some embodiments, this may the global model trained with the data of all clients. Since the performance of the model, as simulated, was nearly perfect, resulting in almost all the clients having a zero false positive rate, some of the accelerometer features were dropped (e.g., discarded) to increase the difficulty of the learning task. The global model's hold-out average test accuracy for 10 runs was 84.37%, with a false positive rate (FPR) of 10.69%, and a true positive rate (TPR) of 82.05% (all SD values are smaller than 1%). Then, in some embodiments, the global model was independently tested on each client's test set, resulting in two performance values for each client. The TPR and the FPR may be used as performance metrics: the mean TPRs are 89.01% and 71.77% and the mean FPRs are 15.26% and 24.90% for males and females, respectively. In some embodiments, a significant performance gap was observed on both metrics: ΔTPR=17.33% and ΔFPR=9.63%.

Regression Model Implementation

In some embodiments, the evaluation of the logistic regression model was implemented with Python 3.7.6 and sklearn 0.22.1.

In some embodiments, Elastic-Net loss (with a 0.99 L1 component) was used and SAGA as the algorithm to minimize it. In some embodiments, to balance the classes, class weights were adjusted inversely proportional to class frequency. In some embodiments, to find these hyperparameters, optimization for best generalization performance was not performed, as in inducing an disparate performance between the groups in test data may be desirable.

For some embodiments, the model selection was evaluated by 10 runs of hold-out cross-validation (70-30% as the random training-testing split). For some embodiments, a PRNG seed was fixed and the source code provided.

Error of the DP Mechanism

In some embodiments, to generate synthetic data for the global model's performance on new clients, the marginal distribution of sex may be modeled to have the same mean and v² as the observations. For the purpose of evaluating the error of the mechanisms, the exact distribution is fit may not be important, thus samples may be drawn with replacement from the set of observations. This sampling methodology may ensure that the relevant statistics are preserved and enough data may be generated to represent a realistic DFL deployment.

Table 2 compares the empirical error with the 0.99-probability bounds (a) obtained with the procedure explained in the previous section, for a range of privacy budgets (c). The bounds are one order of magnitude larger than the actual error. This means that the budget that the operator may need to allocate to satisfy a certain α for 10⁷ clients may be substantially lower than the ones shown in Table 1. As a consequence, following the Chebyshev bounds from the previous section may result in an overly conservative measurement with respect to the privacy of the users, and operators with small privacy budgets may be able afford more accurate measurements without an impact on user privacy

TABLE 2 Comparison of the Chebyshev bounds with the empirical mean error of 10 runs of the mechanisms on the synthetic dataset for K = 10⁷ clients. The first column is the privacy budget, followed by the mean error (and standard deviation) of the estimates on the data and the 0.99-probability Chebyshev's bounds (α) for each mechanism.

 _(R) opt.

 _(L) opt. ϵ |Δ{circumflex over (m)}^(R) − Δm| α |Δ{circumflex over (m)}^(R) − Δm| α 0.01 0.1241(±0.1410) 1.2586 0.0504(±0.0337) 1.0525 0.10 0.0082(±0.0059) 0.1206 0.0046(±0.0040) 0.1060 1.00 0.0008(±0.0006) 0.0094 0.0008(±0.0005) 0.0118 10.00 0.0001(±0.0000) 0.0032 0.0001(±0.0000) 0.0009

FIG. 5 is a system diagram that illustrates an example distributed computing system that may be used to implement techniques described herein. Various portions of systems and method described herein may include of be executed on a system of computing devices similar to distributed system 500. Further, processes and modules described herein may be executed by one or more processing systems similar to that of distributed system 500.

Distributed system 500 may include an aggregate model 510. The aggregate model 510 may operate based on federated learning. The aggregate model 510 may be an aggregator, which may learn parameters from clients, such as client A and client B. Although client A and client B are depicted, the aggregate model 510 may have many clients, including 10s of clients, 100s of clients, etc. The number of clients may be given by client population K, which may be 10⁷ or even greater. The aggregate model 510 may be any appropriate model.

Distributed system 500 may include computing devices of users, such as a computing device of client A 500 a and a computing device of client B 500 b. Each client may have sensitive attributes. Each client may have a group membership, such as gA for client A and gB for client B. Client group membership may be a sensitive attribute. Each client may operate a local mode, such as on a client computing device. Each client's local model may be independently trained, such as based on client data. Each client's local model may receive parameters from the aggregate model 510 and then train such parameters. Each client's local model may send model parameters 540 to the aggregate model 510 after training, upon which the aggregate model 510 may be updated. For each user, the local model may receive an input, such as input 520 a for client A and input 520 b for client B. For each user, the local model may produce an output, such as output 530 a for client A and output 530 b for client B. The performance of the local model may be evaluated based on the local output, such as to produce a performance value v 560 a for client A and a performance value v 560 b for client B. The performance of the local model may be a sensitive attribute. A mechanism

, which may be

_(R) or

_(L), may be used to protect the privacy of a client's sensitive attribute. The mechanism

may operate on the client's computing device, such as within a security envelope. The mechanism

may produce a perturbed tuple which may be used to generate a disparate performance measure 550, which may measure the difference in performance for members of various groups while maintaining group privacy.

FIG. 6 is a system diagram that illustrates an example computing system that may be used as a component of systems implementing techniques described herein. Various portions of systems and methods described herein may include or be executed on one or more computing systems similar to computing system 1100. Further, processes and modules described herein may be executed by one or more processing systems similar to that of computing system 1100.

Computing system 1100 may include one or more processors (e.g., processors 1110 a-1110 n) coupled to system memory 1120, and an I/O device interface 1130 via an input/output (I/O) interface 1150. A processor may include a single processor or a plurality of processors (e.g., distributed processors). A processor may be any suitable processor capable of executing or otherwise performing instructions. A processor may include a central processing unit (CPU) that carries out program instructions to perform the arithmetical, logical, and input/output operations of computing system 1100. A processor may execute code (e.g., processor firmware, a protocol stack, a database management system, an operating system, or a combination thereof) that creates an execution environment for program instructions. A processor may include a programmable processor. A processor may include general or special purpose microprocessors. A processor may receive instructions and data from a memory (e.g., system memory 1120). Computing system 1100 may be a uni-processor system including one processor (e.g., processor 1110 a-1110 n), or a multi-processor system including any number of suitable processors (e.g., 1110 a-1110 n). Multiple processors may be employed to provide for parallel or sequential execution of one or more portions of the techniques described herein. Processes, such as logic flows, described herein may be performed by one or more programmable processors executing one or more computer programs to perform functions by operating on input data and generating corresponding output. Processes described herein may be performed by, and apparatus can also be implemented as, special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application specific integrated circuit). Computing system 1100 may include a plurality of computing devices (e.g., distributed computing systems) to implement various processing functions.

The I/O device interface 1130 may comprise one or more I/O device interface, for example to provide an interface for connection of one or more I/O devices 1160 to computing system 1100. The I/O device interface 1130 may include devices that receive input (e.g., from a user) or output information (e.g., to a user). The I/O device interface 1130 may include, for example, graphical user interface presented on displays (e.g., a cathode ray tube (CRT) or liquid crystal display (LCD) monitor), pointing devices (e.g., a computer mouse or trackball), keyboards, keypads, touchpads, scanning devices, voice recognition devices, gesture recognition devices, printers, audio speakers, microphones, cameras, or the like. The I/O device interface 1130 may be connected to computing system 1100 through a wired or wireless connection. The I/O device interface 1130 may be connected to computing system 1100 from a remote location. The I/O device interface 1130 may be in communication with one or more other computing systems. Other computing units, such as located on remote computer system, for example, may be connected to computing system 1100 via a network, such as via a network interface 1140. The I/O device interface 1130 may be a user interface. The I/O device interface 1130 may connect multiple computer systems.

System memory 1120 may be configured to store program instructions 1170 or data 1180. Program instructions 1170 may be executable by a processor (e.g., one or more of processors 1110 a-1110 n) to implement one or more embodiments of the present techniques. Program instructions 1170 may include modules of computer program instructions for implementing one or more techniques described herein with regard to various processing modules. Program instructions may include a computer program (which in certain forms is known as a program, software, software application, script, or code). A computer program may be written in a programming language, including compiled or interpreted languages, or declarative or procedural languages. A computer program may include a unit suitable for use in a computing environment, including as a stand-alone program, a module, a component, or a subroutine. A computer program may or may not correspond to a file in a file system. A program may be stored in a portion of a file that holds other programs or data (e.g., one or more scripts stored in a markup language document), in a single file dedicated to the program in question, or in multiple coordinated files (e.g., files that store one or more modules, sub programs, or portions of code). A computer program may be deployed to be executed on one or more computer processors located locally at one site or distributed across multiple remote sites and interconnected by a communication network.

System memory 1120 may include a tangible program carrier having program instructions stored thereon. A tangible program carrier may include a non-transitory computer readable storage medium. A non-transitory computer readable storage medium may include a machine-readable storage device, a machine-readable storage substrate, a memory device, or any combination thereof. Non-transitory computer readable storage medium may include non-volatile memory (e.g., flash memory, ROM, PROM, EPROM, EEPROM memory), volatile memory (e.g., random access memory (RAM), static random-access memory (SRAM), synchronous dynamic RAM (SDRAM)), bulk storage memory (e.g., CD-ROM and/or DVD-ROM, hard-drives), or the like. System memory 1120 may include a non-transitory computer readable storage medium that may have program instructions stored thereon that are executable by a computer processor (e.g., one or more of processors 1110 a-1110 n) to cause the subject matter and the functional operations described herein. A memory (e.g., system memory 1120) may include a single memory device and/or a plurality of memory devices (e.g., distributed memory devices). Instructions or other program code to provide the functionality described herein may be stored on a tangible, non-transitory computer readable media. In some cases, the entire set of instructions may be stored concurrently on the media, or in some cases, different parts of the instructions may be stored on the same media at different times.

I/O interface 1150 may be configured to coordinate I/O traffic between processors 1110 a-1110 n, system memory 1120, I/O device interface 1130, network interface 1140, etc. I/O interface 1150 may perform protocol, timing, or other data transformations to convert data signals from one component (e.g., system memory 1120) into a format suitable for use by another component (e.g., processors 1110 a-1110 n). I/O interface 1150 may include support for devices attached through various types of peripheral buses, such as a variant of the Peripheral Component Interconnect (PCI) bus standard or the Universal Serial Bus (USB) standard.

Embodiments of the techniques described herein may be implemented using a single instance of computing system 1100 or multiple computing systems 1100 configured to host different portions or instances of embodiments. Multiple computing systems 1100 may provide for parallel or sequential processing/execution of one or more portions of the techniques described herein.

Those skilled in the art will appreciate that computing system 1100 is merely illustrative and is not intended to limit the scope of the techniques described herein. Computing system 1100 may include any combination of devices or software that may perform or otherwise provide for the performance of the techniques described herein. For example, computing system 1100 may include or be a combination of a cloud-computing system, a data center, a server rack, a server, a virtual server, a desktop computer, a laptop computer, a tablet computer, a server device, a client device, a mobile telephone, a personal digital assistant (PDA), a mobile audio or video player, a game console, a vehicle-mounted computer, or a Global Positioning System (GPS), or the like. Computing system 1100 may also be connected to other devices that are not illustrated, or may operate as a stand-alone system. In addition, the functionality provided by the illustrated components may in some embodiments be combined in fewer components or distributed in additional components. Similarly, in some embodiments, the functionality of some of the illustrated components may not be provided or other additional functionality may be available.

Those skilled in the art will also appreciate that while various items are illustrated as being stored in memory or on storage while being used, these items or portions of them may be transferred between memory and other storage devices for purposes of memory management and data integrity. Alternatively, in other embodiments some or all of the software components may execute in memory on another device and communicate with the illustrated computer system via inter-computer communication. Some or all of the system components or data structures may also be stored (e.g., as instructions or structured data) on a computer-accessible medium or a portable article to be read by an appropriate drive, various examples of which are described above. In some embodiments, instructions stored on a computer-accessible medium separate from computing system 1100 may be transmitted to computing system 1100 via transmission media or signals such as electrical, electromagnetic, or digital signals, conveyed via a communication medium such as a network or a wireless link. Various embodiments may further include receiving, sending, or storing instructions or data implemented in accordance with the foregoing description upon a computer-accessible medium. Accordingly, the present techniques may be practiced with other computer system configurations.

While various items are illustrated as being stored in memory or on storage while being used, these items or portions of them may be transferred between memory and other storage devices for purposes of memory management and data integrity. Alternatively, in other embodiments some or all of the software components may execute in memory on another device and communicate with the illustrated computer system via inter-computer communication. Some or all of the system components or data structures may also be stored (e.g., as instructions or structured data) on a computer-accessible medium or a portable article to be read by an appropriate drive, various examples of which are described above. In some embodiments, instructions stored on a computer-accessible medium separate from computer system may be transmitted to computer system via transmission media or signals such as electrical, electromagnetic, or digital signals, conveyed via a communication medium such as a network or a wireless link. Various embodiments may further include receiving, sending, or storing instructions or data implemented in accordance with the foregoing description upon a computer-accessible medium. Accordingly, the present techniques may be practiced with other computer system configurations.

In block diagrams, illustrated components are depicted as discrete functional blocks, but embodiments are not limited to systems in which the functionality described herein is organized as illustrated. The functionality provided by each of the components may be provided by software or hardware modules that are differently organized than is presently depicted, for example such software or hardware may be intermingled, conjoined, replicated, broken up, distributed (e.g., within a data center or geographically), or otherwise differently organized. The functionality described herein may be provided by one or more processors of one or more computers executing code stored on a tangible, non-transitory, machine readable medium. In some cases, notwithstanding use of the singular term “medium,” the instructions may be distributed on different storage devices associated with different computing devices, for instance, with each computing device having a different subset of the instructions, an implementation consistent with usage of the singular term “medium” herein. In some cases, third party content delivery networks may host some or all of the information conveyed over networks, in which case, to the extent information (e.g., content) is said to be supplied or otherwise provided, the information may be provided by sending instructions to retrieve that information from a content delivery network.

The reader should appreciate that the present application describes several independently useful techniques. Rather than separating those techniques into multiple isolated patent applications, applicants have grouped these techniques into a single document because their related subject matter lends itself to economies in the application process. But the distinct advantages and aspects of such techniques should not be conflated. In some cases, embodiments address all of the deficiencies noted herein, but it should be understood that the techniques are independently useful, and some embodiments address only a subset of such problems or offer other, unmentioned benefits that will be apparent to those of skill in the art of reviewing the present disclosure. Due to costs constraints, some techniques disclosed herein may not be presently claimed and may be claimed in later filings, such as continuation applications or by amending the present claims. Similarly, due to space constraints, neither the Abstract nor the Summary of the Invention sections of the present document should be taken as containing a comprehensive listing of all such techniques or all aspects of such techniques.

It should be understood that the description and the drawings are not intended to limit the present techniques to the particular form disclosed, but to the contrary, the intention is to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the present techniques as defined by the appended claims. Further modifications and alternative embodiments of various aspects of the techniques will be apparent to those skilled in the art in view of this description. Accordingly, this description and the drawings are to be construed as illustrative only and are for the purpose of teaching those skilled in the art the general manner of carrying out the present techniques. It is to be understood that the forms of the present techniques shown and described herein are to be taken as examples of embodiments. Elements and materials may be substituted for those illustrated and described herein, parts and processes may be reversed or omitted, and certain features of the present techniques may be utilized independently, all as would be apparent to one skilled in the art after having the benefit of this description of the present techniques. Changes may be made in the elements described herein without departing from the spirit and scope of the present techniques as described in the following claims. Headings used herein are for organizational purposes only and are not meant to be used to limit the scope of the description.

As used throughout this application, the word “may” is used in a permissive sense (i.e., meaning having the potential to), rather than the mandatory sense (i.e., meaning must). The words “include”, “including”, and “includes” and the like mean including, but not limited to. As used throughout this application, the singular forms “a,” “an,” and “the” include plural referents unless the content explicitly indicates otherwise. Thus, for example, reference to “an element” or “a element” includes a combination of two or more elements, notwithstanding use of other terms and phrases for one or more elements, such as “one or more.” The term “or” is, unless indicated otherwise, non-exclusive, i.e., encompassing both “and” and “or.” Terms describing conditional relationships, e.g., “in response to X, Y,” “upon X, Y,”, “if X, Y,” “when X, Y,” and the like, encompass causal relationships in which the antecedent is a necessary causal condition, the antecedent is a sufficient causal condition, or the antecedent is a contributory causal condition of the consequent, e.g., “state X occurs upon condition Y obtaining” is generic to “X occurs solely upon Y” and “X occurs upon Y and Z.” Such conditional relationships are not limited to consequences that instantly follow the antecedent obtaining, as some consequences may be delayed, and in conditional statements, antecedents are connected to their consequents, e.g., the antecedent is relevant to the likelihood of the consequent occurring. Statements in which a plurality of attributes or functions are mapped to a plurality of objects (e.g., one or more processors performing steps A, B, C, and D) encompasses both all such attributes or functions being mapped to all such objects and subsets of the attributes or functions being mapped to subsets of the attributes or functions (e.g., both all processors each performing steps A-D, and a case in which processor 1 performs step A, processor 2 performs step B and part of step C, and processor 3 performs part of step C and step D), unless otherwise indicated. Similarly, reference to “a computer system” performing step A and “the computer system” performing step B can include the same computing device within the computer system performing both steps or different computing devices within the computer system performing steps A and B. Further, unless otherwise indicated, statements that one value or action is “based on” another condition or value encompass both instances in which the condition or value is the sole factor and instances in which the condition or value is one factor among a plurality of factors. Unless otherwise indicated, statements that “each” instance of some collection have some property should not be read to exclude cases where some otherwise identical or similar members of a larger collection do not have the property, i.e., each does not necessarily mean each and every. Limitations as to sequence of recited steps should not be read into the claims unless explicitly specified, e.g., with explicit language like “after performing X, performing Y,” in contrast to statements that might be improperly argued to imply sequence limitations, like “performing X on items, performing Y on the X'ed items,” used for purposes of making claims more readable rather than specifying sequence. Statements referring to “at least Z of A, B, and C,” and the like (e.g., “at least Z of A, B, or C”), refer to at least Z of the listed categories (A, B, and C) and do not require at least Z units in each category. Unless specifically stated otherwise, as apparent from the discussion, it is appreciated that throughout this specification discussions utilizing terms such as “processing,” “computing,” “calculating,” “determining” or the like refer to actions or processes of a specific apparatus, such as a special purpose computer or a similar special purpose electronic processing/computing device. Features described with reference to geometric constructs, like “parallel,” “perpendicular/orthogonal,” “square”, “cylindrical,” and the like, should be construed as encompassing items that substantially embody the properties of the geometric construct, e.g., reference to “parallel” surfaces encompasses substantially parallel surfaces. The permitted range of deviation from Platonic ideals of these geometric constructs is to be determined with reference to ranges in the specification, and where such ranges are not stated, with reference to industry norms in the field of use, and where such ranges are not defined, with reference to industry norms in the field of manufacturing of the designated feature, and where such ranges are not defined, features substantially embodying a geometric construct should be construed to include those features within 15% of the defining attributes of that geometric construct. The terms “first”, “second”, “third,” “given” and so on, if used in the claims, are used to distinguish or otherwise identify, and not to show a sequential or numerical limitation. As is the case in ordinary usage in the field, data structures and formats described with reference to uses salient to a human need not be presented in a human-intelligible format to constitute the described data structure or format, e.g., text need not be rendered or even encoded in Unicode or ASCII to constitute text; images, maps, and data-visualizations need not be displayed or decoded to constitute images, maps, and data-visualizations, respectively; speech, music, and other audio need not be emitted through a speaker or decoded to constitute speech, music, or other audio, respectively. Computer implemented instructions, commands, and the like are not limited to executable code and can be implemented in the form of data that causes functionality to be invoked, e.g., in the form of arguments of a function or API call. To the extent bespoke noun phrases (and other coined terms) are used in the claims and lack a self-evident construction, the definition of such phrases may be recited in the claim itself, in which case, the use of such bespoke noun phrases should not be taken as invitation to impart additional limitations by looking to the specification or extrinsic evidence.

In this patent, to the extent any U.S. patents, U.S. patent applications, or other materials (e.g., articles) have been incorporated by reference, the text of such materials is only incorporated by reference to the extent that no conflict exists between such material and the statements and drawings set forth herein. In the event of such conflict, the text of the present document governs, and terms in this document should not be given a narrower reading in virtue of the way in which those terms are used in other materials incorporated by reference. 

1. A method for determining a performance gap of a model for users of different groups, comprising: obtaining, with a computer system, group membership values and data values for a set of users; applying, with the computer system, a first perturbation to group membership values of a first subset of the set of users; applying, with the computer system, a second perturbation to perturb data values for the first subset of the set of users based on the applied first perturbation; and outputting, with the computer system, data values and group membership values for a perturbed set of users, wherein the perturbed set of users corresponds to users of the set of users with perturbed data values, perturbed group membership values, or a combination thereof.
 2. The method of claim 1, wherein the model is a federated learning model and outputting is performed by storing the data values and group membership values in memory.
 3. The method of claim 2, wherein the data values are performance values of the model.
 4. The method of claim 2, wherein the data values are performance values of the model as measured by a client.
 5. The method of claim 1, wherein applying the first perturbation comprises generating a perturbed group membership value which is different than the group membership value for a first portion of the first subset of the set of users.
 6. The method of claim 5, wherein the first perturbation maintains a group membership value with a probability a and perturbs a group membership value with a probability 1−a for the first portion of the first subset of the set of users.
 7. The method of claim 5, wherein the first perturbation is a randomized response perturbation.
 8. The method of claim 5, wherein applying the second perturbation comprises: applying a third perturbation to perturb data values for the first portion of the first subset of users.
 9. The method of claim 8, wherein the third perturbation maintains an expectation value for the data values of the portion of the first subset of the set of users.
 10. The method of claim 5, wherein applying the second perturbation comprises: applying a fourth perturbation to perturb data values for a second portion of the first subset of the set of users, where users of the second portion of the first subset of the set of user comprise users for whom first perturbation maintains the group membership value.
 11. The method of claim 1, wherein applying the fourth second perturbation comprises applying a discretization or a randomized response perturbation.
 12. The method of claim 1, wherein applying the fourth second perturbation comprises applying a Laplacian perturbation.
 13. A method for determining a performance gap of a model for users of different groups, comprising: obtaining, with a computer system, group membership values and data values of a user; applying, with the computer system, a first perturbation to a group membership values of the user; applying, with the computer system, a second perturbation to data values of the user based on the applied first perturbation; and outputting, with the computer system, perturbed data values and perturbed group membership values of the user.
 14. The method of claim 13, wherein the model is a federated learning model and outputting is performed by storing the perturbed data values and the perturbed group membership values in memory.
 15. The method of claim 13, wherein the data values are performance values of the model.
 16. The method of claim 13, wherein applying the first perturbation comprises generating a perturbed group membership value which is different than the group membership value for the user with a probability 1−a and maintaining the group membership value with a probability a.
 17. The method of claim 13, wherein applying the second perturbation comprises applying a third perturbation to perturb data values for the user if the perturbed group membership value is different than the group membership value, wherein the third perturbation maintains an expectation value of data values.
 18. The method of claim 17, wherein the third perturbation generates an expectation value of zero for perturbed data values.
 19. The method of claim 13, wherein applying the second perturbation comprises applying a fourth perturbation to perturb data values for the user if the perturbed group membership value is the same as the group membership value, wherein the fourth perturbation maintains an expectation value of data values.
 20. The method of claim 19, wherein the fourth perturbation randomizes data values while maintaining an expectation value. 